[Cryptography] Passwords are dying - get over it
Joe St Sauver
joe at oregon.uoregon.edu
Mon Dec 23 10:48:35 EST 2013
Hi,
Kent commented:
#People love to say passwords are dead, but any alternate proposals they
#might suggest always seem worse to me.
And that's certainly consistent with the adoption rate we see for
alternatives to passwords, at least when users are choosing based
on ease-of-use/convenience, rather than the fully panopoly of
considerations (including things like the security of the
non-password-based authentication technology).
#Google seems to have the biggest head of steam by trying to become the
#single sign-in for everything else,
Among OpenID providers, Google's certainly the leader (Janrain
quotes their market share at 38%), but Facebook is non-negligible
at 27% and Yahoo's still in the race at 14%, see
http://janrain.com/blog/what-are-most-popular-networks-social-login-and-sharing-web/
(as quoted by me on slide 53 of
http://pages.uoregon.edu/joe/maawg-id-mgmt/maawg-id-mgmt.pdf )
Of course, there are alternatives to OpenID, including CAS and
Shibboleth, both popular in higher ed and some government
contexts (e.g., the Federal GFIPM project, http://www.gfipm.net/ ,
for example).
#and then, because they are so important they can force you to carry a
#Bsafe fob, or something like that. Actually, they probably won't go
#for a fob...
In Google's case, it's pretty clear that they're putting their
bet on smart phones as their 2nd factor/2nd channel of choice.
(See http://www.google.com/landing/2step/ )
I've got a page that lists a variety of phone-based two factor
authentication options at http://pages.uoregon.edu/joe/phone-2fa.html
(if I've inadvertently overlooked anyone, please let me know and
I'd be glad to add them to that page)
#Instead Google is working hard to know everything about me, and that is
#key to their security solution: they will know I am legit when I log in
#because they will know it is me because they have been following me.
A consideration to be aware of with OpenID is that not only
will the OpenID provider know "everything" about you, the
relying parties will ALSO get to know a surprising amount
about you, courtesy of what gets shared by default with the
relying party (although this can vary from identity provider
to identity provider, see slides 56-59 of the slide deck
mentioned above)
SAML-based solutions (like Shibboleth), on the other hand,
support fine grained attribute release policies, but in
that case, bilateral negotiation of attribute release
policies (beyond minimal default attribute release
policies) may hinder global scaling properties.
#Or something like that, they don't exactly know how it will work, but they
#are getting good at recognizing login patterns and being confident I am
#me based how and where I login.
You're really talking about risk-based authentication.
It may be key to keeping folks from going nuts as a
result of better-than-password technologies: if
someone's doing something they always do, from
where they always do it, when they always do it, and
the trasaction's low risk anyhow, let them. On the
other hand, if they're doing something unusual,
from somewhere odd, at an uncommon time, and the
transaction is "significant" (typically high
dollar value, or security-sensitive), be careful
and require stronger authentication.
The down side of that approach, from my POV, is that
it adds unpredictability to my logins -- maybe I'm
prone to forgeting my smart phone at home, and
normally I can get away with it because I'm rarely
asked to do step-up authentication, but then bang,
once in a blue moon I might need it to login... ugh!
Regarding use of a simple notebook as a password
cache, Kent observed:
#(And don't bring the whole notebook when
#traveling internationally, maybe leave it with someone trusted whom you
#can phone.)
That's one good recommendation, but not the only one
you should be thinking about if you're traveling
internationally.
The Higher Education Information Security Council (HEISC)
has collected a variety of recommendations related to
international travel and cyber security; if interested,
see: "Security Tips for Traveling Abroad",
https://wiki.internet2.edu/confluence/display/itsg2/Security+Tips+for+Traveling+Abroad
Merry Christmas/Happy New Year,
Regards,
Joe
More information about the cryptography
mailing list